2

I deployed a simple website on EC2 instance, and created an elastic load balancer, routing traffic to this EC2 instance.

I also created a CNAME record on my DNS registrar, pointing my domain (www.example.com) to the load balancer DNS name (load-balancer-1234567890.us-east-1.elb.amazonaws.com).

I can successfully reach my site in the browser in 3 different ways:

  • EC2 instance public IP (Eg: 54.89.99.99)
  • ELB public DNS name (Eg: load-balancer-1234567890.us-east-1.elb.amazonaws.com)
  • My domain DNS (Eg: www.example.com)

But, for security reasons, I want my EC2 instance to be accessible on port 80 only from the load balancer.

So, I changed the security group for the EC2 instance:

  • removed the rule that allowed traffic on port 80 from all sources (0.0.0.0/0)
  • added a rule to allow traffic on port 80 from my VPC (172.31.0.0/16)
  • added a rule to allow traffic on port 80 from the ELB security group (sg-xxxxxxxx)

After that, I still can access my website from the ELB DNS name, but now I can't access from my domain anymore (www.example.com). I get the error: ERR_CONNECTION_TIMED_OUT.

What's wrong?

Daniel Barral
  • 3,896
  • 2
  • 35
  • 47
  • 1
    What is the error you are getting when accessing www.example.com? – Ashan Oct 15 '17 at 01:27
  • The error in the browser is: ERR_CONNECTION_TIMED_OUT – Daniel Barral Oct 15 '17 at 01:36
  • Are you using Route53 for DNS? – Ashan Oct 15 '17 at 01:40
  • No... I am not using Route53 – Daniel Barral Oct 15 '17 at 01:46
  • I was able to acces my site using this website: http://onlinecurl.com/ but can't access from my browser, nor Postman – Daniel Barral Oct 15 '17 at 01:50
  • 2
    This seems like a caching issue in your machine for DNS. Try traceroute www.example.com, or tracert www.example.com in Windows for your domain and see whether it reaches the ELB? Also you can check the cache entries using ipconfig /displaydns in Windows. You can also try flushing the DNS records in your machine (commands differ based on the OS) – Ashan Oct 15 '17 at 01:56
  • I cleared cache using "ipconfig /flushdns". The problem persisted. Then I executed "ipconfig /displaydns" and saw that there was a DNS record for my domain resolving directly to the EC2 instance IP, instead of the load balancer IP. – Daniel Barral Oct 15 '17 at 04:42
  • 1
    Then the DNS is not fully propagated. It might take time based on the ttl put for previous record set, directly mapping the ip to domain. – Ashan Oct 15 '17 at 05:18
  • Ashan, you are correct. That was because of DNS propagation time. After waiting some hours, now I can access the site. Thanks. – Daniel Barral Oct 15 '17 at 16:55
  • Ashan, you can post as answer instead of comment, so that I can accept. – Daniel Barral Oct 15 '17 at 17:10
  • I have generalized the answer and posted so that anyone else can also can get the benefit out of it. Thanks – Ashan Oct 15 '17 at 17:19
  • Just as an FYI, the instance does not need a public IP if it is behind a load balancer. Best practice is to divide your VPC into subnets, with your ELB in the public subnet and the instances in a private subnet. – myron-semack Oct 16 '17 at 02:30

2 Answers2

2

This seems like a DNS caching issue in your machine or in DNS servers.

  • To clear the cache in your machine flush the DNS using ipconfig /flushdns
  • If the issue persisted try traceroute www.example.com (Or tracert www.example.com in Windows) to see whether it reaches the ELB. If the source IP is different that the current DNS configurations,
    • It can be due to a misconfiguration (Double check)
    • If latest DNS modification is not propagated (If its points to a previous configuration) then wait for some time till the DNS servers clears the cache based on the TTL value.
Ashan
  • 18,898
  • 4
  • 47
  • 67
0

When you create a load balancer, you select the AZs that the load balancer is located within. This means that your load balancer is located within your VPC and not outside of it (this is normal and expected).

Since your Security Group allows traffic from within your VPC (which duplicates the ELB security group as both are allowing traffic), then there is something wrong with either your Security Group settings or your Load Balancer is configured wrong. Also double check the load balancer security group settings.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • It seems like its a DNS propagation issue (Check the comments in question) and see whether you can help on that. – Ashan Oct 15 '17 at 05:20